In response to "Teemu Juntunen" <teemu.juntunen@e-ngine.fi>:
> Hi,
>
> is it possible to make a SELECT query with some nasty follow up commands,
> which damages the database.
>
> Something like:
>
> SELECT *,(DROP DATABASE enterprise) AS roger FROM sales WHERE sales >
> (UPDATE order SET order=1);
>
> I know this wont work, but is there some possibility to modify database with
> SELECT query?
>
> I'm developing an ERP where I would like to implement a statistical program
> where you can write your own SELECT queries.
Yes, it's easy to do with stored procedures. i.e.:
SELECT drop_table('important_table') FROM some_other_table;
This is managed with database permissions. Ensure that the user your
dynamic query engine is connecting as does not have permissions to
drop tables, or even delete rows from the tables (see the GRANT docs).
By doing so, you ensure that even if someone can create a dangerous
procedure and execute it via query, that they can't do any damage.
--
Bill Moran
Collaborative Fusion Inc.
http://people.collaborativefusion.com/~wmoran/
wmoran@collaborativefusion.com
Phone: 412-422-3463x4023
